refactor: use variables for graylog stack image versions

Move hardcoded image versions to variables defined in main.yml for
easier version management in one place.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

ansible/roles/common/handlers/main.yml

@@ -10,3 +10,9 @@
   ansible.builtin.service:
     name: fail2ban
     state: restarted
+
+- name: restart fluent-bit
+  become: true
+  ansible.builtin.systemd:
+    name: fluent-bit
+    state: restarted

ansible/roles/common/tasks/fluent-bit.yml

@@ -2,25 +2,6 @@
 # Fluent Bit - Log forwarder from journald to Graylog GELF
 # Deployed as systemd service (not container) for direct journal access
 
-# Clean up old container deployment if it exists
-- name: stop and remove fluent-bit container if exists
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_container:
-    name: fluent-bit
-    state: absent
-  ignore_errors: true
-
-- name: disable old fluent-bit container systemd service
-  become: true
-  become_user: "{{ podman_user }}"
-  ansible.builtin.systemd:
-    name: fluent-bit
-    enabled: false
-    state: stopped
-    scope: user
-  ignore_errors: true
-
 - name: install fluent-bit package
   become: true
   ansible.builtin.dnf:

ansible/roles/common/tasks/main.yml

@@ -3,6 +3,9 @@
 - import_tasks: security.yml
 - import_tasks: service.yml
 
+- import_tasks: fluent-bit.yml
+  tags: fluent-bit, graylog
+
 - name: create the docker group
   become: true
   ansible.builtin.group:

ansible/roles/common/templates/fluent-bit/fluent-bit.conf.j2

@@ -74,6 +74,12 @@
 # =============================================================================
 # FILTERS: Add metadata for Graylog categorization
 # =============================================================================
+# Exclude Graylog stack containers to prevent feedback loop
+[FILTER]
+    Name          grep
+    Match         podman.*
+    Exclude       CONTAINER_NAME ^graylog
+
 [FILTER]
     Name          record_modifier
     Match         podman.*
@@ -143,7 +149,7 @@
     Name          gelf
     Match         *
     Host          127.0.0.1
-    Port          12203
-    Mode          udp
+    Port          12202
+    Mode          tcp
     Gelf_Short_Message_Key MESSAGE
     Gelf_Host_Key host

ansible/roles/podman/handlers/main.yml

@@ -42,11 +42,3 @@
     scope: user
   tags:
     - zomboid
-
-- name: restart fluent-bit
-  become: true
-  ansible.builtin.systemd:
-    name: fluent-bit
-    state: restarted
-  tags:
-    - fluent-bit

ansible/roles/podman/tasks/containers/debyltech/graylog.yml

@@ -75,7 +75,7 @@
 - import_tasks: podman/podman-check.yml
   vars:
     container_name: graylog-mongo
-    container_image: docker.io/mongo:6
+    container_image: "{{ mongo_image }}"
   tags: graylog
 
 - name: create graylog-mongo container
@@ -83,7 +83,7 @@
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: graylog-mongo
-    image: docker.io/mongo:6
+    image: "{{ mongo_image }}"
     state: started
     restart_policy: on-failure:3
     log_driver: journald
@@ -103,7 +103,7 @@
 - import_tasks: podman/podman-check.yml
   vars:
     container_name: graylog-opensearch
-    container_image: docker.io/opensearchproject/opensearch:2
+    container_image: "{{ opensearch_image }}"
   tags: graylog
 
 - name: create graylog-opensearch container
@@ -111,7 +111,7 @@
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: graylog-opensearch
-    image: docker.io/opensearchproject/opensearch:2
+    image: "{{ opensearch_image }}"
     state: started
     restart_policy: on-failure:3
     log_driver: journald
@@ -135,7 +135,7 @@
 - import_tasks: podman/podman-check.yml
   vars:
     container_name: graylog
-    container_image: docker.io/graylog/graylog:6.0
+    container_image: "{{ image }}"
   tags: graylog
 
 # Graylog uses host network to reach MongoDB/OpenSearch on 127.0.0.1
@@ -145,7 +145,7 @@
   become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: graylog
-    image: docker.io/graylog/graylog:6.0
+    image: "{{ image }}"
     state: started
     restart_policy: on-failure:3
     log_driver: journald

ansible/roles/podman/tasks/main.yml

@@ -31,7 +31,7 @@
 
 - import_tasks: containers/home/hass.yml
   vars:
-    image: ghcr.io/home-assistant/home-assistant:2025.9
+    image: ghcr.io/home-assistant/home-assistant:2026.1
   tags: hass
 
 - import_tasks: containers/home/partkeepr.yml
@@ -86,15 +86,16 @@
     image: docker.io/louislam/uptime-kuma:2.0.2
   tags: home, uptime
 
-- import_tasks: containers/debyltech/geoip.yml
-  tags: debyltech, graylog, geoip
+- import_tasks: data/geoip.yml
+  tags: graylog, geoip
 
 - import_tasks: containers/debyltech/graylog.yml
+  vars:
+    mongo_image: docker.io/mongo:7.0
+    opensearch_image: docker.io/opensearchproject/opensearch:2
+    image: docker.io/graylog/graylog:7.0.1
   tags: debyltech, graylog
 
-- import_tasks: containers/base/fluent-bit.yml
-  tags: fluent-bit, graylog
-
 - import_tasks: containers/home/gregtime.yml
   vars:
     image: localhost/greg-time-bot:3.0.2

ansible/roles/podman/tasks/podman/podman.yml

@@ -112,6 +112,7 @@
 - name: fetch subuid of {{ podman_user }}
   become: true
   changed_when: false
+  check_mode: false
   ansible.builtin.shell: |
     set -o pipefail && cat /etc/subuid | awk -F':' '/{{ podman_user }}/{ print $2 }' | head -n 1
   register: podman_subuid